Report on the percentage of identified risks that have a defined risk mitigation plan

Status: Live

The organization will report on the report on the report on the percentage of identified risks that have a defined risk mitigation plan. [UCF ID 02042]

Metric guidance

Calculation: The calculation for this metric is # of identified risks that have a defined risk mitigation plan / # of identified risks.

Calculation source: No authority document source of information exists. The following formula was used: the number of identified risks that have been assigned a fix or control to mitigate the risk from occurring divided by the total number of risks that where identified during risk analyses for each business unit (or the organization as a whole) during the reporting period.

The Common Control IDs associated with this metric are as follows:

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE10.3; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy. [ISPE10.3, CISWG Information Security Program Elements, January 10,2005]

General Guidance

The purpose of this measurement is to measure the percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.